LOCAL CHAPTERS

Find chapters in your area

SHRM, Council Seek Knowledge-Based Authentication for myE-Verify

The Society for Human Resource Management (SHRM) and the Council for Global Immigration recommended that proposed revisions to the E-Verify Self-Check program incorporate dynamic, multidimensional, knowledge-based authentication technology to safeguard against identity theft.

SHRM and the Council submitted comments on March 20, 2014, to U.S. Citizenship and Immigration Services (USCIS) in response to proposed revisions to the Self-Check program—to be renamed myE-Verify, a free portal through which E-Verify users will be able to create an account, track case status and lock Social Security numbers.

myE-Verify will allow workers in the United States to enter data into the E-Verify system to ensure that the information relating to their eligibility to work is correct and accurate, the agency said. Additional features will enable employees to “proactively engage with E-Verify through a suite of Web-based services.”

Self-Check was initially developed as a service that U.S. workers could use to check their own employment eligibility status completely separate from the employer-focused E-Verify process.

Dynamic and Multidimensional

SHRM and the Council explained that knowledge-based authentication (KBA) that draws upon multiple data sources from variable points in time is the best technology option available to ensure that the person whose identity is being verified is the person entering the information. “The Social Security number locking mechanism in myE-Verify increases the urgency,” the organizations wrote.

“An identity thief who defeats the low level of KBA currently in Self-Check can verify whether the employee has current authorization to work in the United States,” they noted. “When myE-Verify comes online and uses the same low-level KBA that is currently used for Self-Check, as is proposed, the identify thief would be able to accomplish a much more nefarious purpose—locking the employee’s Social Security number in E-Verify and preventing employers from verifying his work authorization through E-Verify.”

Presently, Self-Check draws from a single data source purchased from a private entity, resulting in a simple form of KBA that an identity thief could easily defeat by learning a few basic facts about the victim, according to SHRM and the Council.

A Council employee used Self-Check as a test. Three of the four questions asked for information pertained to a single former address, and the last question asked which state issued his Social Security number.

Thus, “if an identity thief knew the address where this employee lived seven months ago and the state where he was born, the identify thief would be able to defeat the static KBA currently used in Self-Check,” the organizations wrote.

That’s why SHRM and the Council recommend using multidimensional KBA that draws from many sources—including government entities such as the Social Security Administration, the Office of Biometric Identity Management and the Department of State—to formulate queries about distinct data.

“KBA must also be sufficiently dynamic—i.e., asking a series of questions that draw from real-time data rather than data that was provided at a single point in time,” they wrote.

Self-Check uses static KBA, relying on data purchased at a single point in time that does not change.

SHRM and the Council further advised that contracts with any outside vendors limit use of information obtained from myE-Verify to that which is required in the Fair Credit Reporting Act.

“As important as accuracy is to our members, SHRM and the Council believe that protecting the privacy of Americans should be our paramount concern when developing an eligibility verification system.”

The organizations urged USCIS to set language when contracting with any information providers to ensure that the privacy of U.S. citizens and foreign nationals are protected and that KBA providers will not be able to use information provided in any fashion other than for myEVerify.